When to Assess Security and Privacy During the Procurement Process

Many organizations are concerned about security, privacy and vendor management for information technology (IT) services and applications, and rightly so. As more organizations purchase “Anything as a Service” (XaaS) cloud-computing products, the need for understanding the security and privacy status of those products grows because:

• The organization may no longer control its most sensitive data and may be dependent on the vendor for critical business processes involving that data.
• Organizational data could potentially be aggregated with the data of the vendor’s other customers, leading to privacy concerns.
• The vendor could have security or technology defects in its infrastructure that impact the organization.
• The organization must rely on vendor attestations to comply with laws and regulations.

Tools for evaluating the security and privacy of third party applications and services proliferate. You can ask a Software as a Service (SaaS) provider to provide you with an external audit report that certifies its internal controls. You can subscribe to a service that conducts a security review for you. Or you can self-assess the application or service you are considering using at your organization. Your options, and the tools available to evaluate IT acquisitions, are seemingly limitless.

While the assessment and evaluation tools may be limitless, the window of time to successfully conduct such a security and privacy review is not. Evaluate an IT-based service too early in the procurement process and you potentially waste your time and that of the vendors under consideration. Evaluate the service too late in the process and it might be harder to address any security and privacy concerns that you discover, especially as your organization becomes convinced that a particular vendor service or application best meets its needs.

Procurement Process Basics
Procurement processes, particularly those at large, complex, and distributed organizations, can be complicated. At a high level, the procurement process includes:

1. Requisition: where a department or unit requests a specific purchase
2. Procurement and contracts: the process by which a requisition is approved for purchase
3. Shipping and receiving: the receipt of the purchased good or services
4. Accounts payable: payment for goods or services received

There are several activities that the procurement department must oversee at each step. Not only must it manage the solicitation and bid process, but procurement departments may also be responsible for budgeting, negotiating and executing contracts, confirming that the goods or services received match the contract terms, paying vendors and service providers, ensuring compliance with organizational policies and local law, and even guaranteeing competitive and ethical business practices for the organization. Thus, working with procurement departments to outline general provisions for IT acquisitions is critical.

Timeline for Assessing the Security and Privacy of IT Acquisitions
Assessing and evaluating the security and privacy of third party IT services and applications can take time. It is also somewhat distinct from assessing and evaluating the organization’s functional requirements for a service or application. While the organization’s list of functional requirements may contain basic security and privacy specifications, evaluating those specifications in depth should come after the organization determines that the service or application meets its basic business needs.

Reviewing security and privacy specifications after a preliminary review of functional requirements and the creation of a shortlist of suitable products ensures that the organization is not wasting resources in reviewing services and applications that will not be selected for procurement. The time for conducting this security and privacy review is during the procurement and contracts phase, usually before selecting a product for a proof-of-concept demonstration or continued contract negotiations.

To ensure that security and privacy specifications are adequately considered during an IT acquisition, organizations should include their IT and information security teams in the basic procurement process as follows:

1. Pre-requisition
   1. A unit considering an IT service or application purchase should alert the organization’s IT team regarding the potential purchase. The IT team can help the unit understand whether the organization already has a particular service that will meet its needs, or help the unit understand the organization’s IT environment and potential integration issues.
   2. The unit should determine functional requirements for a service or application, which may include basic security and privacy specifications.
2. Requisition
   1. If IT has not yet been brought into the conversation regarding a potential IT acquisition, the procurement department should notify the IT unit when it receives an IT service or application requisition request. This helps ensure that the IT unit can help ward off security, privacy, and integration issues early in the process.
3. Procurement and contracts
   1. A shortlist of vendors, services and applications is prepared, ensuring that products on the short-list meet the organization's functional requirements and basic security and privacy specifications.
   2. The IT unit conducts a security and privacy review of services and applications on the shortlist and notifies the procurement department and requisitioning unit of the results of the review.
   3. The procurement department works with the IT unit to ensure that contract negotiations specify service levels, support levels, security and privacy audit requirements, and require identified security and privacy issues to be cured within a specific number of days.
4. Shipping and receiving
   1. On an ongoing basis, the IT team confirms that the service or application continues to meet the organization’s security and privacy specifications.
   2. If there are renewal periods for the service or application, the procurement department and IT unit use the renewal period to update security and privacy specifications as needed.

Organizations should make sure that the procurement timeline contains enough time for the IT unit to conduct the security and privacy review, and enough time for the procurement department to coordinate with the IT unit and vendor in case any issues require further inquiry, clarification or correction. The security and privacy review is integral to ensuring that the IT service or application under consideration will not subject the organization to unacceptable levels of risk.